[Koha-bugs] [Bug 7973] Allow for new type of LDAP authentication
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Tue Jul 2 16:50:26 CEST 2013
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=7973
--- Comment #31 from acowell at daviscollege.edu ---
You would be correct, in a windows active directory domain the userPassword
attribute is a write-only field. When viewed, it says <NOT SET>. If I set
auth_by_bind to 1 I receive this following error, no matter what user account I
attempt to login as. I also do not see a failed login attempt in the LDAP
server security event logs, so it’s like it’s failing before even attempting to
connect to the LDAP server.
[Tue Jul 02 08:11:39 2013] [error] [client 127.0.0.1] [Tue Jul 2 08:11:39
2013] opac-user.pl: LDAP Auth rejected : (sAMAccountName=duser1) gets 0 hits,
referer: http://127.0.1.1/cgi-bin/koha/opac-user.pl
[Tue Jul 02 08:11:39 2013] [error] [client 127.0.0.1] [Tue Jul 2 08:11:39
2013] opac-user.pl: LDAP error #1: LDAP_OPERATIONS_ERROR, referer:
http://127.0.1.1/cgi-bin/koha/opac-user.pl
What is strange, is if I set auth_by_bind to 0. I see in my domain controller
this log that is scored by the auth_by_bind user, but won’t authenticate or
create the users account in koha.
An operation was performed on an object.
Subject :
Security ID: <domain>\<binding user>
Account Name: <binding user>
Account Domain: <domain>
Logon ID: 0x29a39618
Object:
Object Server: DS
Object Type: user
Object Name: CN=Dummy User,OU=<Sub
OU>,OU=<Sub OU>,OU=<Sub OU>,OU=<Sub OU>,DC=<domain>,DC=<domain ext>
Handle ID: 0x0
Operation:
Operation Type: Object Access
Accesses: Control Access
Access Mask: 0x100
Properties: Control Access
{91e647de-d96f-4b70-9557-d63ff4f3ccd8}
{6617e4ac-a2f1-43ab-b60c-11fbd1facf05}
{b3f93023-9239-4f7c-b99c-6745d87adbc2}
{b8dfa744-31dc-4ef1-ac7c-84baf7ef9da7}
{771727b1-31b8-4cdf-ae62-4fe39fadf89e}
{612cb747-c0e8-4f92-9221-fdd5f15b550d}
{bf967aba-0de6-11d0-a285-00aa003049e2}
Additional Information:
Parameter 1: -
Parameter 2:
As for a step by step processing, we’re pretty much a pure Windows 2008 Domain
Model right out of the box. So I’m not sure exactly what type of step by step I
could provide, besides Microsoft documentation on authentication processes.
http://technet.microsoft.com/en-us/library/cc755284(v=ws.10).aspx
I can say that we have a Moodle server that is doing LDAPS authentication right
to both of our domain controllers. A couple of notes from that server that I
don’t see the ability to set in Koha is these options.
LDAP Version = 3
LDAP Encoding = cp1252
I also see in Koha you can set a BASE, but in Moodle you set a context which is
the first container to begin searching for users in.
ou=<OU>,dc=<DOMAIN>,dc=<DOMAIN EXT>
I switched the <BASE> in koha to CN=Users, DC=<DOMAIN>, DC=<DOMAIN EXT> and
moved the Dummy User to the Users container. But that didn’t work either, still
receive the above LDAP_OPERATIONS_ERROR.
I did a little more testing and actually fired up wireshark on the domain
controller I'm trying to authenticate against. If I use Ubuntu's ldapsearch
with the same information I'm using in the Koha-conf files. I get an LDAP
bindRequest(1) "duser1 at daviscollege.edu" simple. When I attempt to authenticate
through Koha. I get 'bindRequest(1) "<ROOT>" simple'. It's like Koha is not
actually passing the authenticating users userPrincipleName through correctly.
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list